Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1555.005 | Password Managers |
| CM-6 | Configuration Settings | Protects | T1555.005 | Password Managers |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1555.005 | Password Managers |
| IA-5 | Authenticator Management | Protects | T1555.005 | Password Managers |
| SI-2 | Flaw Remediation | Protects | T1555.005 | Password Managers |
| SI-4 | System Monitoring | Protects | T1555.005 | Password Managers |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1555.005 | Credentials from Password Stores: Password Managers |